Navigation

Buildbot steps might need secrets to execute their actions.
Secrets are used to execute commands or to create authenticated network connections.
Secrets may be a SSH key, a password, or a file content like a wgetrc file or a public SSH key.
To preserve confidentiality, the secrets values must not be printed or logged in the twisted or steps logs.
Secrets must not be stored in the Buildbot configuration (master.cfg), as the source code is usually shared in SCM like git.

File system based: secrets are written in a file.
This is a simple solution for example when secrets are managed by config management system like Ansible Vault.

Third party backend based: secrets are stored by a specialized software.
These solution are usually more secured.

Secrets providers are configured if needed in the master configuration.
Multiple providers can be configured at once.
The secret manager is a Buildbot service.
The secret manager returns the specific provider results related to the providers registered in the configuration.

Secret can be used in Buildbot via the IRenderable mechanism.
Two IRenderable actually implement secrets.
Interpolate can be used if you need to mix secrets and other interpolation in the same argument.
Interpolate can be used if your secret is directly used as a component argument.

frombuildbot.pluginsimportsecrets,util# First we declare that the secrets are stored in a directory of the filesystem# each file contain one secret identified by the filenamec['secretsProviders']=[secrets.SecretInAFile(dirname="/path/toSecretsFiles")]# then in a buildfactory:# use a secret on a shell command via Interpolatef1.addStep(ShellCommand(util.Interpolate("wget -u user -p '%(secret:userpassword)s' '%(prop:urltofetch)s'")))# .. or non shell form:f1.addStep(ShellCommand(["wget","-u","user","-p",util.Secret("userpassword"),util.Interpolate("%(prop:urltofetch)s")]))

Secrets are also interpolated in the build like properties are, and will be used in a command line for example.

You can use secrets to configure services.
All services arguments are not compatible with secrets.
See their individual documentation for details.

# First we declare that the secrets are stored in a directory of the filesystem# each file contain one secret identified by the filenamec['secretsProviders']=[secrets.SecretInAFile(dirname="/path/toSecretsFiles")]# then for a reporter:c['services']=[GitHubStatusPush(token=util.Secret("githubToken"))]

Vault secures, stores, and tightly controls access to secrets.
Vault presents a unified API to access multiple backends.
To be authenticated in Vault, Buildbot need to send a token to the vault server.
The token is generated when the Vault instance is initialized for the first time.

In the master configuration, the Vault provider is instantiated through the Buildbot service manager as a secret provider with the the Vault server address and the Vault token.
The provider SecretInVault allows Buildbot to read secrets in Vault.
For more information about Vault please visit: Vault: https://www.vaultproject.io/

A Docker image is available to help users installing Vault.
Without any arguments, the command launches a Docker Vault developer instance, easy to use and test the functions.
The developer version is already initialized and unsealed.
To launch a Vault server please refer to the VaultDocker documentation: